cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4349
Views
0
Helpful
8
Replies
Beginner

ASA5505 Remote VPN with hairpin to L2L VPN

Hi.   I have been searching for days trying to find out what could be wrong with the configuration of an ASA5505 running Firmware version 7.2(2).   I am trying to set up a hairpin connection between my laptop on the VPN tunnel (192.168.25.12) to access the server across the L2L VPN (192.168.1.10) on the diagram below.

The remote VPN function is working, as I can RDP to the 192.168.25.10 server from my laptop, and the L2L VPN is working since I can RDP from server 192.168.25.10 to server 192.168.1.10.  I am trying specifically to run RDP from my laptop without having to log into the .25 network.

I have tried multiple changes to my NAT tables and my ACL configurations to no avail.  Can someone please help me to understand what is wrong with my configuration?

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ykhud5eCZELCCoHu encrypted

names

name 192.168.24.0 RemoteVPN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.25.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 173.xxx.xxx.20 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.25.10

name-server 68.87.85.98

domain-name default.domain.invalid

dns server-group ncdc

name-server 192.168.25.10

name-server 68.87.85.98

same-security-traffic permit intra-interface

object-group network Dallas

network-object 192.168.1.0 255.255.255.0

network-object host 192.168.1.10

object-group service RDP tcp

description Remote Desktop Port

port-object eq 3389

access-list inside_20_cryptomap extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any object-group Dallas

access-list inside_nat0_outbound extended permit ip 173.11.214.16 255.255.255.248 object-group Dallas

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any RemoteVPN 255.255.255.192

access-list inside_access_out extended permit ip 192.168.25.0 255.255.255.0 any

access-list inside_access_out extended permit icmp any any echo

access-list inside_access_out extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any 192.168.25.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip RemoteVPN 255.255.255.0 host 192.168.1.10

access-list outside_cryptomap_20 extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VP_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip RemoteVPN 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Dallas 192.168.2.12-192.168.2.34 mask 255.255.255.0

ip local pool RemoteConnect 192.168.24.10-192.168.24.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.10 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.25.51 87 173.xxx.xxx.20 ftp netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.51 8080 173.xxx.xxx.20 8080 netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.10 3389 173.xxx.xxx.20 3389 netmask 255.255.255.255

static (inside,outside) RemoteVPN RemoteVPN netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 173.11.214.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

ldap attribute-map ActiveDirectoryMapTable

  map-name  VP cVPN3000-IETF-Radius-Class

  map-value VP CN=VPNUser,CN=Users,DC=VP VPNUserPolicy

aaa-server VP protocol ldap

aaa-server VP host 192.168.25.10

ldap-base-dn CN=Administrators,CN=Builtin,DC=VP

ldap-scope onelevel

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=Administrator,CN=Users,DC=VP

server-type microsoft

ldap-attribute-map ActiveDirectoryMapTable

group-policy VP internal

group-policy VP attributes

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VP_splitTunnelAcl

username Tech password f05JZRvsmFaw4Uqf encrypted privilege 15

username VPNUser password cnYM.Ml1XxVujQd4 encrypted privilege 7

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.25.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 66.xxx.xxx.148

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 20 match address inside_20_cryptomap

crypto map inside_map 20 set pfs

crypto map inside_map 20 set peer 66.xxx.xxx.148

crypto map inside_map 20 set transform-set ESP-DES-MD5

crypto map inside_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 66.xxx.xxx.148 type ipsec-l2l

tunnel-group 66.xxx.xxx.148 ipsec-attributes

pre-shared-key *

tunnel-group VP type ipsec-ra

tunnel-group VP general-attributes

address-pool RemoteConnect

default-group-policy VP

tunnel-group VP ipsec-attributes

pre-shared-key *

tunnel-group Domainaccts type ipsec-ra

tunnel-group Domainaccts general-attributes

address-pool RemoteConnect

authentication-server-group VP

default-group-policy VP

tunnel-group Domainaccts ipsec-attributes

pre-shared-key *

telnet 173.xxx.xxx.20 255.255.255.255 outside

telnet 192.168.25.0 255.255.255.0 inside

telnet RemoteVPN 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 192.168.25.10 68.87.85.98

dhcpd domain VP

dhcpd auto_config outside

!

dhcpd address 192.168.25.12-192.168.25.129 inside

dhcpd dns 192.168.25.10 68.87.85.98 interface inside

dhcpd update dns interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

client-update enable

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:0ad2ea133bd13d8018f2899f86a9a101

: end

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

ASA5505 Remote VPN with hairpin to L2L VPN

Anthony,

In order for the traffic to traverse the tunnel, the other site must include the subnet of your VPN clients on their Interesting traffic. Remeber that a VPN consists of a set of rules that must match on both sides so your VPN client will fail to the get to other side as long as they dont allow it on their ACLs.

At this point there is no security association created for the traffic between your VPN client and the remote site. That means that the traffic will no go thru. This is because they havent added your VPN client's subnet to their interesting traffic.

BTW the fact that the tunnel is up, doesnt mean you can send any network's traffic thru it. Remember that it should be explicitly allowed on the ACLs of both sites.

I hope this answers your questions. 

Raga

View solution in original post

8 REPLIES 8
Highlighted
Enthusiast

ASA5505 Remote VPN with hairpin to L2L VPN

Basically you need to modify your interesting traffic.

On the ASA:

Add your IP Pool the the crypto ACL:

access-list outside_cryptomap_20 permit ip 192.168.24.0 255.255.255.0 192.168.1.0 255.255.255.0

Add the remote site's network to your SPlit tunneling ACL:

access-list VP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

On the remote Router, add a line for the return traffic to the VPN Pool

access-list xxx permit ip  192.168.1.0 255.255.255.0 192.168.24.0 255.255.255.0

Do the same for the NAT Exception ACL on the remote site.

And that should do it.

Here is a doc that explains what you are trying to do in case you need some clarification:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

I hope this helps.

Raga

Highlighted
Beginner

ASA5505 Remote VPN with hairpin to L2L VPN

Hi,

Add the pool to crypto access of VPN tunnel and add remote sites network in split tunneling, and yeh dont for get to add no nat acl for remote site as well.

That sould do the trick.

Sian

Highlighted
Beginner

ASA5505 Remote VPN with hairpin to L2L VPN

Luis,

The link you posted with the information was close to what I am trying to get working, however, I am not using TACACS+ Authentication.  Knowing that I could find an article close to what I was looking for, I found this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

With that information, I have added the recommended lines to my CRYPTO and NAT ACLs.  Now when I run packet tracer for an echo reply from my laptop to the L2L network server, I no longer get an IPSECspoof failure.  Instead, I get a failure in phase 10 of the packet tracer.

Is this a condition of the IPSec traffic coming in encryped from the VPN client, then being decrypted by the ASA before going back out?  If so, what keeps the ASA from sending the un-encrypted version back through to fail?

In case it was an Authentication problem, I removed some extra AAA server information that was not being utilized in my configuration so that I can work one issue at a time.

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ykhud5eCZELCCoHu encrypted

names

name 192.168.24.0 RemoteVPN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.25.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 173.xxx.xxx.20 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.25.10

name-server 68.xxx.xxx.98

domain-name default.domain.invalid

dns server-group ncdc

name-server 192.168.25.10

name-server 68.xxx.xxx.98

same-security-traffic permit intra-interface

object-group network Dallas

network-object 192.168.1.0 255.255.255.0

network-object host 192.168.1.10

object-group service RDP tcp

description Remote Desktop Port

port-object eq 3389

access-list inside_20_cryptomap extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any object-group Dallas

access-list inside_nat0_outbound extended permit ip 173.xxx.xxx.16 255.255.255.248 object-group Dallas

access-list inside_nat0_outbound extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any RemoteVPN 255.255.255.192

access-list inside_access_out extended permit ip 192.168.25.0 255.255.255.0 any

access-list inside_access_out extended permit icmp any any echo

access-list inside_access_out extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any 192.168.25.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip RemoteVPN 255.255.255.0 host 192.168.1.10

access-list outside_cryptomap_20 extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip RemoteVPN 255.255.255.0 192.168.1.0 255.255.255.0

access-list VP_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0

access-list VP_splitTunnelAcl standard permit RemoteVPN 255.255.255.0

access-list VP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip RemoteVPN 255.255.255.0 object-group Dallas

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Dallas 192.168.2.12-192.168.2.34 mask 255.255.255.0

ip local pool RemoteConnect 192.168.24.10-192.168.24.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.10 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.25.51 87 173.xxx.xxx.20 ftp netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.51 8080 173.xxx.xxx.20 8080 netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.10 3389 173.xxx.xxx.20 3389 netmask 255.255.255.255

static (inside,outside) RemoteVPN RemoteVPN netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 173.xxx.xxx.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

ldap attribute-map ActiveDirectoryMapTable

  map-name  VP cVPN3000-IETF-Radius-Class

  map-value VP CN=VPNUser,CN=Users,DC=VP VPNUserPolicy

group-policy VP internal

group-policy VP attributes

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VP_splitTunnelAcl

username Tech password f05JZRvsmFaw4Uqf encrypted privilege 15

username VPNUser password cnYM.Ml1XxVujQd4 encrypted privilege 7

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.25.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 66.205.177.148

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 20 match address inside_20_cryptomap

crypto map inside_map 20 set pfs

crypto map inside_map 20 set peer 66.205.177.148

crypto map inside_map 20 set transform-set ESP-DES-MD5

crypto map inside_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 66.205.177.148 type ipsec-l2l

tunnel-group 66.205.177.148 ipsec-attributes

pre-shared-key *

tunnel-group VP type ipsec-ra

tunnel-group VP general-attributes

address-pool RemoteConnect

default-group-policy VP

tunnel-group VP ipsec-attributes

pre-shared-key *

telnet 173.xxx.xxx.20 255.255.255.255 outside

telnet 192.168.25.0 255.255.255.0 inside

telnet RemoteVPN 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 192.168.25.10 68.xxx.xxx.98

dhcpd domain VP

dhcpd auto_config outside

!

dhcpd address 192.168.25.12-192.168.25.129 inside

dhcpd dns 192.168.25.10 68.xxx.xxx.98 interface inside

dhcpd update dns interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

client-update enable

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:0ad2ea133bd13d8018f2899f86a9a101

Highlighted
Enthusiast

ASA5505 Remote VPN with hairpin to L2L VPN

Anthony,

The authentication server is not required for this so you dont need to worry about that.

Now  your ACL looks good. How about the other side's config? Do you have access to that one too?

If not can you add the output of a "show crypto ipsec sa"  while you are connected with the VPN client and trying to ping a host on the remote site?

Thanks!

Highlighted
Beginner

ASA5505 Remote VPN with hairpin to L2L VPN

I do not have access to the configuration of the 192.168.1.0 side of the L2L VPN.  I do know, however, that the L2L is up and running since I can ping from a server on the 192.168.25.0 subnet.

Here is the output you request.  I have a continuous ping from a server on the .25.0 network (Hub Server) to the .1.0 network (L2L server) that is constantly succeeding.  In addition, I have a continuous ping from the 24.0 network (VPN) to the L2L server that consistently fails.

Result of the command: "show crypto ipsec sa"

interface: outside

    Crypto map tag: outside_map, seq num: 20, local addr: 173.xxx.xxx.20

      access-list outside_cryptomap_20 permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.25.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      current_peer: 66.xxx.xxx.148

      #pkts encaps: 279371, #pkts encrypt: 279371, #pkts digest: 279371

      #pkts decaps: 244761, #pkts decrypt: 244761, #pkts verify: 244761

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 279371, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.xxx.xxx.20, remote crypto endpt.: 66.xxx.xxx.148

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: A1D1D1F0

    inbound esp sas:

      spi: 0xE220AD68 (3793792360)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 851, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4273830/16485)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xA1D1D1F0 (2714882544)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 851, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4274129/16485)

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 173.xxx.xxx.20

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.24.12/255.255.255.255/0/0)

      current_peer: 68.xxx.xxx.191, username: VPNUser

      dynamic allocated peer ip: 192.168.24.12

      #pkts encaps: 15310, #pkts encrypt: 15310, #pkts digest: 15310

      #pkts decaps: 9521, #pkts decrypt: 9521, #pkts verify: 9521

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 15310, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.xxx.xxx.20/4500, remote crypto endpt.: 68.xxx.xxx.191/55184

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 9F24024E

    inbound esp sas:

      spi: 0x8FF40E63 (2415136355)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 857, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 15418

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x9F24024E (2669937230)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 857, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 15418

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 173.xxx.xxx.20

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.24.13/255.255.255.255/0/0)

      current_peer: 76.xxx.xxx.240, username: VPNUser

      dynamic allocated peer ip: 192.168.24.13

      #pkts encaps: 2151, #pkts encrypt: 2151, #pkts digest: 2151

      #pkts decaps: 1801, #pkts decrypt: 1801, #pkts verify: 1801

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2151, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.xxx.xxx.20/4500, remote crypto endpt.: 76.xxx.xxx.240/59294

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 0F983000

    inbound esp sas:

      spi: 0x6952808E (1767014542)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 860, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 28268

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x0F983000 (261632000)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 860, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 28268

         IV size: 8 bytes

         replay detection support: Y

Highlighted
Enthusiast

ASA5505 Remote VPN with hairpin to L2L VPN

Anthony,

In order for the traffic to traverse the tunnel, the other site must include the subnet of your VPN clients on their Interesting traffic. Remeber that a VPN consists of a set of rules that must match on both sides so your VPN client will fail to the get to other side as long as they dont allow it on their ACLs.

At this point there is no security association created for the traffic between your VPN client and the remote site. That means that the traffic will no go thru. This is because they havent added your VPN client's subnet to their interesting traffic.

BTW the fact that the tunnel is up, doesnt mean you can send any network's traffic thru it. Remember that it should be explicitly allowed on the ACLs of both sites.

I hope this answers your questions. 

Raga

View solution in original post

Highlighted
Beginner

ASA5505 Remote VPN with hairpin to L2L VPN

Raga,

There was definitely issue with the configuration on the 192.168.1.0 network router.  Since the L2L traffic was up and running with the 192.168.25.0 network traffic and the fact that I don't have access to the far end router, my end solution was to change the RemoteVPN address pool to 192.168.25.128-150.  When doing this, I ensured that I kept the access lists and NAT translations correct.

After making this change, I am able to successfully access all devices on both the 25.0 and 1.0 networks from remote VPN.  Thank you for your help.

Highlighted
Enthusiast

ASA5505 Remote VPN with hairpin to L2L VPN

Hey Anthony.

It´s great to hear that you got it working!

Have fun!

Raga

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here